HABv4 with DualA/B RootFs partitioned device

Hi NxP,

I am working with the Imx8mn_ddr4_evk board with imx-5.4.70-2.3.0, testing it with some proofs of concept. The current point of the board is as follows:

Bootloader has been configured with IMX_HAB flags enabled for security, and a double A/B partitioning scheme to allow roolback on RootFs update. The u-boot and kernel images are being signed according to the uboot-imx-habv4-guides  guidelines, in the concrete implementation we have chosen to make use of the Variscite environment in yocto for this particular signing task.

The desired result is the verification of the bootloade image, and following the chain of trust, the authentication of the corresponding kernel image inside the verified uboot.

After writing fuse registers with public key, seems u-boot image its verified

U-Boot SPL 2020.04-5.4.70-2.3.0+gf6dcf9c2fb (Sep 29 2023 - 11:26:41 +0000)
power_bd71837_init
DDRINFO: start DRAM init
DDRINFO: DRAM rate 2400MTS
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Normal Boot
Trying to boot from BOOTROM
image offset 0x0, pagesize 0x200, ivt offset 0x0
hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...
NOTICE:  BL31: v2.2(release):rel_imx_5.4.70_2.3.0-0-gf1d7187f2
NOTICE:  BL31: Built : 07:14:47, Jul  6 2023


U-Boot 2020.04-5.4.70-2.3.0+gf6dcf9c2fb (Sep 29 2023 - 11:26:48 +0000)

CPU:   i.MX8MNano Quad rev1.0 1500 MHz (running at 1200 MHz)

the hab_status command is not reporting any error events:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

Despite this, the boot of the kernel image seems to be poorly constructed, as the following error message complaining about the structure of the IVT appears when booting the kernel image

RootFs Slot A
Saving Environment to MMC... Writing to redundant MMC(2)... OK
switch to partitions #0, OK
mmc2(part 0) is current device
28013056 bytes read in 117 ms (228.3 MiB/s)
Booting from mmc ...
40960 bytes read in 8 ms (4.9 MiB/s)
hab fuse not enabled

Authenticate image from DDR location 0x40480000...
bad magic magic=0xfb length=0x65ef version=0xef
bad length magic=0xfb length=0x65ef version=0xef
bad version magic=0xfb length=0x65ef version=0xef
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
## Flattened Device Tree blob at 43000000
   Booting using the fdt blob at 0x43000000
   Using Device Tree in place at 0000000043000000, end 000000004300cc78
Can't find cec device id=0x3c
fail to probe panel device adv7535@3d
failed to get any video link display timings
probe video device failed, ret -22

Starting kernel ...

note: the public key registers have been written, but the sample is still open, could this be the source of the error? Does the device need to be closed for this?

Is it possible that I am not taking into account the partitioning scheme when signing the kernel images?

I would be grateful for any help you can give me.